1 




US006298383B1 



(12) United States Patent (h» Patent No.: US 6,298,383 Bl 

Gutman et al. (45) Date of Patent: Oct. 2, 2001 



(54) INTEGRATION OF AUTHENTICATION 
AUTHORIZATION AND ACCOUNTING 
SERVICE AND PROXY SERVICE 

(75) Inventors: Andrew Mark Gutman, Foothill 

Ranch; Aravind Sitaraman; Sarapath 
Kumar Sthothra Bhasham, both of 
Santa Clara; Kalpathi S. 
Suryanarayanan, Cupertino, all of CA 
(US) 

(73) Assignee: Cisco Tfechnology, Inc., San Jose, CA 
(US) 

(*) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 0 days. 

(21) Appl. No.: 09/225,247 

(22) Filed: Jan. 4, 1999 

(51) Int. CI. 7 G06F 13/00 

(52) U.S. CI 709/229 

(58) Field of Search 709/200, 202, 

709/203, 223, 224, 227, 229 

(56) References Cited 

U.S. PATENT DOCUMENTS 

4,763,191 8/1988 Gordon et al 358/86 

4,922,486 5/1990 Udinsky et al 370/60 

4,962,497 10/1990 Ferenc et al 370/60.1 

(List continued on next page.) 

FOREIGN PATENT DOCUMENTS 

0 567 217 10/1993 (EP) H04U12/46 

99/53408 10/1999 (WO) G06F/15/16 

OTHER PUBLICATIONS 

Bellovin, Steven M., "Problem Areas for the IP Security 
Protocols", Jul. 22-25, 1996, Proceedings of the Sixth 
Usenix UNIX Security Symposium, San Jose, CA. 
Active Software, Inc., "Active Software's Integration Sys- 
tem", printed from http://www.activesw.com/products/prod- 
ucts.html, on Jul. 24, 1998. 



Ascend Communications, Inc., "Access Control Product 
Information", 4 pages, Undated. 

Ascend Communications, Inc., "Remote Access Network 
Security", printed from http://www.ascend.com/1103.html, 
on Jul. 24, 1998, pp. 1^8. 

Ascend Communications, Inc., "MultiVPN from Ascend 
Communications: Breaking Down the Barriers to VPNs", 
White Paper, 1998. 

Bracho, Dr. Rafael, "Integrating the Corporate Computing 
Environment with Active Software", Nov. 18, 1998, Active 
Software, pp. 1-17. 

Bracho, Dr. Rafael, "Mastering Corporate Computing with 
the ActiveWeb System", 1996, Active Software, Inc. 

5,003,595 3/1991 Collins et al 380/25 

(List continued on next page.) 

Primary Examiner— Robert Harrell 

(74) Attorney, Agent, or Firm— Thelen Reid & Priest LLP; 

David B. Ritchie 

(57) ABSTRACT 

A single database maintained centrally hosts both proxy 
service data and authentication, authorization and account- 
ing (AAA) data. Data is then copied to storage used locally 
by each system when both systems are instantiated. There- 
fore the ISP/Telco need not maintain two different data 
bases. A protocol gateway (PGW) is used to determine if the 
incoming user is a wholesale or retail user. The PGW filters 
the domain portion of the access request to locate a remote 
AAA service. If one such service is found, the PGW routes 
the communication via the proxy service to proxy it to the 
remote AAA service. The returned packet from the remote 
AAA service is then searched for an IP address to be 
assigned to the incoming user. If one is not found the PGW 
obtains a dynamically allocated IP address from a DHCP 
server (using an IP-Pool-ID if supplied in the returned 
packet from the remote AAA service). The same mechanism 
is used to forward accounting event packets from the NAS 
to the remote AAA server. The PGW may monitor more than 
one proxy and/or AAA service and load balance among 
them. 
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